Add CredentialsProvider for system service account (SSA) in C++ SDK (#14861)

Author: Gazizonoki

ydb/public/api/client/yc_private/iam/iam_token_service.proto

@@ -18,6 +18,9 @@ service IamTokenService {
   // create iam token for service account
   rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse);
 
+  // create iam token for service
+  rpc CreateForService (CreateIamTokenForServiceRequest) returns (CreateIamTokenResponse);
+
   // create iam token for compute instance
   rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse);
 
@@ -50,6 +53,14 @@ message CreateIamTokenForServiceAccountRequest {
   string service_account_id = 1;
 }
 
+message CreateIamTokenForServiceRequest {
+  string service_id = 1;
+  string microservice_id = 2;
+  string resource_id = 3;
+  string resource_type = 4;
+  string target_service_account_id = 5;
+}
+
 message CreateIamTokenForComputeInstanceRequest {
   string service_account_id = 1;
   string instance_id = 2;

ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/types.h

@@ -0,0 +1,15 @@
+#pragma once
+
+#include <ydb-cpp-sdk/client/iam/common/types.h>
+
+namespace NYdb::inline V3 {
+
+struct TIamServiceParams : TIamEndpoint {
+    std::string ServiceId;
+    std::string MicroserviceId;
+    std::string ResourceId;
+    std::string ResourceType;
+    std::string TargetServiceAccountId;
+};
+
+}

ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common/ya.make

@@ -0,0 +1,13 @@
+LIBRARY(client-iam-private-common-include)
+
+INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)
+
+SRCS(
+    types.h
+)
+
+PEERDIR(
+    ydb/public/sdk/cpp/src/client/iam/common
+)
+
+END()

ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/iam.h

@@ -1,5 +1,7 @@
 #pragma once
 
+#include "common/types.h"
+
 #include <ydb-cpp-sdk/client/iam/common/types.h>
 
 namespace NYdb::inline V3 {
@@ -10,4 +12,7 @@ TCredentialsProviderFactoryPtr CreateIamJwtFileCredentialsProviderFactoryPrivate
 /// Acquire an IAM token using JSON Web Token (JWT) contents.
 TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPrivate(const TIamJwtContent& param);
 
+/// Acquire an IAM token for system service account (SSA).
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params);
+
 } // namespace NYdb

ydb/public/sdk/cpp/src/client/iam/common/iam.h

@@ -19,12 +19,19 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
 protected:
     using TRequestFiller = std::function<void(TRequest&)>;
 
+    using TSimpleRpc =
+        typename NYdbGrpc::TSimpleRequestProcessor<
+            typename TService::Stub,
+            TRequest,
+            TResponse>::TAsyncRequest;
+
 private:
     class TImpl : public std::enable_shared_from_this<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>::TImpl> {
     public:
-        TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller)
+        TImpl(const TIamEndpoint& iamEndpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
             : Client(std::make_unique<NYdbGrpc::TGRpcClientLow>())
             , Connection_(nullptr)
+            , Rpc_(rpc)
             , Ticket_("")
             , NextTicketUpdate_(TInstant::Zero())
             , IamEndpoint_(iamEndpoint)
@@ -67,7 +74,7 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
             Connection_->template DoRequest<TRequest, TResponse>(
                 std::move(req),
                 std::move(cb),
-                &TService::Stub::AsyncCreate,
+                Rpc_,
                 { {}, {}, IamEndpoint_.RequestTimeout }
             );
 
@@ -142,9 +149,9 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
         }
 
     private:
-
         std::unique_ptr<NYdbGrpc::TGRpcClientLow> Client;
         std::unique_ptr<NYdbGrpc::TServiceConnection<TService>> Connection_;
+        TSimpleRpc Rpc_;
         std::string Ticket_;
         TInstant NextTicketUpdate_;
         const TIamEndpoint IamEndpoint_;
@@ -157,8 +164,8 @@ class TGrpcIamCredentialsProvider : public ICredentialsProvider {
     };
 
 public:
-    TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller)
-        : Impl_(std::make_shared<TImpl>(endpoint, requestFiller))
+    TGrpcIamCredentialsProvider(const TIamEndpoint& endpoint, const TRequestFiller& requestFiller, TSimpleRpc rpc)
+        : Impl_(std::make_shared<TImpl>(endpoint, requestFiller, rpc))
     {
         Impl_->UpdateTicket(true);
     }
@@ -186,7 +193,7 @@ class TIamJwtCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest,
         : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
             [jwtParams = params.JwtParams](TRequest& req) {
                 req.set_jwt(MakeSignedJwt(jwtParams));
-            }) {}
+            }, &TService::Stub::AsyncCreate) {}
 };
 
 template<typename TRequest, typename TResponse, typename TService>
@@ -196,7 +203,7 @@ class TIamOAuthCredentialsProvider : public TGrpcIamCredentialsProvider<TRequest
         : TGrpcIamCredentialsProvider<TRequest, TResponse, TService>(params,
             [token = params.OAuthToken](TRequest& req) {
                 req.set_yandex_passport_oauth_token(TStringType{token});
-            }) {}
+            }, &TService::Stub::AsyncCreate) {}
 };
 
 template<typename TRequest, typename TResponse, typename TService>

ydb/public/sdk/cpp/src/client/iam_private/common/iam.h

@@ -0,0 +1,28 @@
+#include <ydb-cpp-sdk/client/iam_private/common/types.h>
+
+#include <src/client/iam/common/iam.h>
+
+namespace NYdb::inline V3 {
+
+template<typename TRequest, typename TResponse, typename TService>
+
+class TIamServiceCredentialsProviderFactory : public ICredentialsProviderFactory {
+public:
+    TIamServiceCredentialsProviderFactory(const TIamServiceParams& params) : Params_(params) {}
+
+    TCredentialsProviderPtr CreateProvider() const final {
+        return std::make_shared<TGrpcIamCredentialsProvider<TRequest, TResponse, TService>>(Params_,
+                    [params = Params_](TRequest& req) {
+                        req.set_service_id(params.ServiceId);
+                        req.set_microservice_id(params.MicroserviceId);
+                        req.set_resource_id(params.ResourceId);
+                        req.set_resource_type(params.ResourceType);
+                        req.set_target_service_account_id(params.TargetServiceAccountId);
+                    }, &TService::Stub::AsyncCreateForService);
+    }
+
+private:
+    TIamServiceParams Params_;
+};
+
+}

ydb/public/sdk/cpp/src/client/iam_private/common/ya.make

@@ -0,0 +1,14 @@
+LIBRARY()
+
+INCLUDE(${ARCADIA_ROOT}/ydb/public/sdk/cpp/sdk_common.inc)
+
+SRCS(
+    iam.h
+)
+
+PEERDIR(
+    ydb/public/sdk/cpp/include/ydb-cpp-sdk/client/iam_private/common
+    ydb/public/sdk/cpp/src/client/iam/common
+)
+
+END()

ydb/public/sdk/cpp/src/client/iam_private/iam.cpp

@@ -1,17 +1,19 @@
-#include <ydb-cpp-sdk/client/iam_private/iam.h>
+#include "common/iam.h"
 
-#include <src/client/iam/common/iam.h>
+#include <ydb-cpp-sdk/client/iam_private/iam.h>
 
 #include <ydb/public/api/client/yc_private/iam/iam_token_service.pb.h>
 #include <ydb/public/api/client/yc_private/iam/iam_token_service.grpc.pb.h>
 
+using namespace yandex::cloud::priv::iam::v1;
+
 namespace NYdb::inline V3 {
 
 TCredentialsProviderFactoryPtr CreateIamJwtCredentialsProviderFactoryImplPrivate(TIamJwtParams&& jwtParams) {
     return std::make_shared<TIamJwtCredentialsProviderFactory<
-                    yandex::cloud::priv::iam::v1::CreateIamTokenRequest,
-                    yandex::cloud::priv::iam::v1::CreateIamTokenResponse,
-                    yandex::cloud::priv::iam::v1::IamTokenService
+                    CreateIamTokenRequest,
+                    CreateIamTokenResponse,
+                    IamTokenService
                 >>(std::move(jwtParams));
 }
 
@@ -25,4 +27,12 @@ TCredentialsProviderFactoryPtr CreateIamJwtParamsCredentialsProviderFactoryPriva
     return CreateIamJwtCredentialsProviderFactoryImplPrivate(std::move(jwtParams));
 }
 
+TCredentialsProviderFactoryPtr CreateIamServiceCredentialsProviderFactory(const TIamServiceParams& params) {
+    return std::make_shared<TIamServiceCredentialsProviderFactory<
+                    CreateIamTokenForServiceRequest,
+                    CreateIamTokenResponse,
+                    IamTokenService
+                >>(std::move(params));
+}
+
 }

ydb/public/sdk/cpp/src/client/iam_private/ya.make

@@ -8,7 +8,7 @@ SRCS(
 
 PEERDIR(
     ydb/public/api/client/yc_private/iam
-    ydb/public/sdk/cpp/src/client/iam/common
+    ydb/public/sdk/cpp/src/client/iam_private/common
 )
 
 END()